A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.
Weakness
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortianalyzer | Fortinet | 6.2.0 (including) | 7.0.10 (excluding) |
| Fortianalyzer | Fortinet | 7.2.0 (including) | 7.2.4 (excluding) |
| Fortianalyzer | Fortinet | 7.4.0 (including) | 7.4.2 (excluding) |
| Fortianalyzer_big_data | Fortinet | 6.4.5 (including) | 6.4.7 (including) |
| Fortianalyzer_big_data | Fortinet | 7.0.1 (including) | 7.0.6 (including) |
| Fortianalyzer_big_data | Fortinet | 7.2.0 (including) | 7.2.6 (excluding) |
| Fortianalyzer_big_data | Fortinet | 6.2.5 (including) | 6.2.5 (including) |
| Fortimanager | Fortinet | 6.2.0 (including) | 7.0.10 (excluding) |
| Fortimanager | Fortinet | 7.2.0 (including) | 7.2.4 (excluding) |
| Fortimanager | Fortinet | 7.4.0 (including) | 7.4.2 (excluding) |
| Fortiportal | Fortinet | 5.3.0 (including) | 6.0.15 (excluding) |